Skip to main content
Skip table of contents

Fidelis EDR

LAST UPDATED: 09/24/2024

Overview

Fidelis EDR Detection and Response (EDR) is a cybersecurity solution designed to protect organizations from advanced threats, detect suspicious activities, and respond to incidents on endpoints (such as computers, servers, and mobile devices). As part of the Fidelis Cybersecurity portfolio, it provides real-time visibility, threat detection, and response capabilities for identifying malicious behavior or vulnerabilities across endpoints.

D3 SOAR is providing REST operations to function with Fidelis EDR.

Fidelis EDR is available for use in:

D3 SOAR

V16.7+

Category

Endpoint Security

Deployment Options

Option I, Option II, Option III, Option IV

Connection

Permission Requirements

Each endpoint in the Fidelis EDR API requires a certain permission scope. The following are required scopes for the commands in this integration:

Command

Required Scopes

Delete File Search Tasks

Scripts, View Executables, Delete Executables

Download Collected Files

Scripts, View Executables

Execute Script Package

Read groups, View Behaviors, View Task Results

Fetch Event

View Alerts

Get Collected Files

View Executables

Get File Search Task Status

View Executables

Get Script Job Results

Read groups, View Behaviors, View Task Results

Get Script Job Status

Scripts, View Executables, View Task Results

Get Script Manifests

View Behaviors

Get Script Templates

View Behaviors

List Hosts

N/A

List Scripts

Read groups, View Behaviors

Search Behavior Events

Read groups, View Behaviors, View Task Results

Search Files

Scripts, View Executables

Test Connection

View Alerts

Configuring D3 SOAR to Work with Fidelis EDR

  1. Log in to D3 SOAR.

  2. Find the Fidelis EDR integration.

    1. Navigate to Configuration on the top header menu.

    2. Click on the Integration icon on the left sidebar.

    3. Type Fidelis EDR in the search box to find the integration, then click it to select it.

    4. Click + Connection, on the right side of the Connections section. A new connection window will appear.

  3. Configure the following fields to create a connection to Fidelis EDR.

    1. Connection Name: The desired name for the connection.

    2. Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.

    3. Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.

    4. Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.

    5. Description (Optional): Add your desired description for the connection.

    6. Tenant (Optional): When configuring the connection from a master tenant site, you have the option to choose the specific tenant sites you want to share the connection with. Once you enable this setting, you can filter and select the desired tenant sites from the dropdowns to share the connection.

    7. Configure User Permissions: Defines which users have access to the connection.

    8. Active: Check the checkbox to ensure the connection is available for use.

    9. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
      1. Input the Server URL
      2. Input the Username
      3. Input the Password.

    10. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.

    11. Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active.
      To set up a connection health check, check the Connection Health Check tick box. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.

  4. Test the connection.

    1. Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green check mark appear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.

    2. Click OK to close the alert window.

    3. Click + Add to create and add the configured connection.

Commands

Fidelis EDR includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.

Integration API Note

For more information about the Fidelis EDR API, please refer to the Fidelis EDR API Guide.

READER NOTE

Certain permissions are required for each command. Please refer to the Permission Requirements section for details.

Note for Time-related parameters

The input format of time-related parameters may vary based on your account settings. As a result, the sample data provided in our commands is different from what you see. To set your preferred time format, follow these steps:

Navigate to Configuration > Application Settings. Select Date/Time Format.

Choose your desired date and time format, then click on the Save button.

After that, you will be able to view your preferred time format when configuring the DateTime input parameters for commands.

Delete File Search Tasks

Deletes the specified Search File task(s) to free up server space by removing them from the database and cleaning up their file system entries.

READER NOTE

Job IDs is a required parameter to run this command.

  • Run the Search Files command to obtain the Job IDs. Job IDs can be found in the raw data at the path $.data.jobId.

Input

Input Parameter

Required/Optional

Description

Example

Job IDs

Required

The IDs corresponding to the jobs for which to delete the file search task(s). Job IDs can be obtained using the Search Files command.

CODE
[ "*****" ]

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "Results": [
        {
            "JobID": "*****",
            "Message": "The Task was removed successfully."
        }
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

Deleted Tasks Count

1

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Delete Job failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Fidelis EDR portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Connection is required for Test Command

Error Sample Data

Delete Job failed.

Status Code: 400.

Message: Connection is required for Test Command

Download Collected Files

Downloads the collected file from a previously initiated Search Files task.

READER NOTE

File ID and File Path are required parameters to run this command.

  • Run the Get Collected Files command to obtain the File ID. File IDs can be found in the raw data at the path $.data.jobResultInfos[*].collectedFiles[*].id.

  • Run the Get Collected Files command to obtain the File Path. File Paths can be found in the raw data at the path $.data.jobResultInfos[*].collectedFiles[*].filePath.

Input

Input Parameter

Required/Optional

Description

Example

File ID

Required

The ID of the file to be downloaded. File ID can be obtained using the Get Collected Files command.

*****

File Path

Required

The file path of the file to be downloaded. File Path can be obtained using the Get Collected Files command.

[root]\\av tenant\\AgentSetup.txt

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "fileID": "*****",
    "fileName": "[root]\\av tenant\\AgentSetup.txt",
    "md5": "*****",
    "sha1": "*****",
    "sha256": "*****"
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
  "FileName": "[root]\\av tenant\\AgentSetup.txt",
  "FileID": *****
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

fileID

*****

fileName

[root]\av tenant\AgentSetup.txt

md5

*****

sha1

*****

sha256

*****

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

File Search Result Metadata failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Fidelis EDR portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Connection is required for Test Command

Error Sample Data

File Search Result Metadata failed.

Status Code: 400.

Message: Connection is required for Test Command

Execute Script Package

Executes a script package. This command allows you to run scripts, including actions such as killing a process, deleting a file, listing processes, and isolating or unisolating an endpoint.

READER NOTE

Script ID is a required parameter to run this command.

  • Run the List Scripts command to obtain the Script ID. Script IDs can be found in the raw data at the path $.data.scripts[*].id.

Questions is an optional parameter to run this command.

  • Run the Get Script Templates command to obtain Questions.

Input

Input Parameter

Required/Optional

Description

Example

Script ID

Required

The ID of the script package to execute. Script ID can be obtained using the List Scripts command.

*****

Endpoint IPs

Optional

The IP address(es) of the endpoint(s) where the script is to be executed. By default, all endpoints will be used.

CODE
[ "***.***.***.***" ]

Script Time Out

Optional

The maximum duration, in seconds, allowed for the execution of the script before it times out. By default, the value is 300 seconds.

600

Questions

Optional

The parameter(s) for a specific script, with each script requiring its own template. Question templates can be obtained using the Get Script Templates command.

JSON
[
  {
    "paramNumber": 1,
    "answer": "host1"
  },
  {
    "paramNumber": 2,
    "answer": "Windows"
  }
]

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "success": true,
    "error": null,
    "data": {
        "jobId": "*****",
        "jobResultId": "*****"
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
  "JobID": "*****",
  "JobResultID": "*****"
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

Script Packages Count

1

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

File Search Status failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Fidelis EDR portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Connection is required for Test Command

Error Sample Data

File Search Status failed.

Status Code: 400.

Message: Connection is required for Test Command

Fetch Event

Ingests Fidelis EDR alerts into D3 vSOC based on search conditions. The alerts are sorted by create date in descending order.

Input

Input Parameter

Required/Optional

Description

Example

Start Time

Optional

The beginning of the time range, in UTC, for retrieving Fidelis EDR alerts. By default, the start time is 3 days before the End Time.

2024-08-06 18:00:00

End Time

Optional

The end of the time range, in UTC, for retrieving Fidelis EDR alerts. By default, the end time is the current time.

2024-08-06 18:59:59

Search Conditions

Optional

Search field(s) and value(s) used to filter alert results using Facet Search syntax.

To retrieve alerts for a specific endpoint, such as 'MisterTaylor-PC', see the example on the right.

Refer to the Fidelis API Guide for details on Facet Search. Operator values must be specified using their corresponding integer values. For example, '=' is represented as 0, while 'Contains' is represented as 7.

JSON
[
  {
    "fieldName": "EndpointName",
    "values": [
      {
        "value": "MisterTaylor-PC",
        "operator": 0
      }
    ]
  }
]

Number of Event(s) Fetched

Optional

The maximum number of alerts to return, ranging from 1 to 1000. By default, all alerts matching the filter criteria will be returned.

10

Output

Return Data

Indicates one of the possible command execution states: Successful, Successful with No Event Data, or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "success": true,
    "error": null,
    "data": {
        "entities": [
            {
                "id": *****,
                "createDate": "2019-11-15T17:57:47.412Z",
                "endpointName": "MisterTaylor-PC",
                "endpointId": "*****",
                "name": "Fidelis Intelligence - Suspicious Network",
                "description": "Fidelis Endpoint encountered a suspicious address.\nName: Fidelis Intelligence - Suspicious Network\nAddress: ***.***.***.***\nIntel Source: Intelligence Feed",
                "artifactName": "***.***.***.***",
                "source": "Intelligence Feed",
                "sourceType": 16,
                "severity": 5,
                "intelId": "*****",
                "intelName": "Fidelis Intelligence - Suspicious Network",
                "validatedDate": null,
                "actionsTaken": "",
                "eventId": "*****",
                "eventTime": "2019-11-15T17:57:47.412Z",
                "parentEventId": "",
                "eventType": 3,
                "eventIndex": 122,
                "reportId": "*****",
                "telemetry": null,
                "insertionDate": "2019-11-15T18:01:16.836Z",
                "hasJob": false,
                "osType": 1,
                "agentTag": null,
                "enrichments": []
            }
        ],
        "totalCount": 82
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
  "AlertIDs": [*****],
  "AlertNames": [ "Fidelis Intelligence - Suspicious Network" ],
  "ArtifactNames": ["***.***.***.***"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

Start Time (UTC)

2024-09-14T01:22:34.000Z

End Time (UTC)

2024-09-17T01:22:34.000Z

Events Count

1

Fetch Event Field Mapping

Fetch Event commands require event field mapping. Field mapping plays a key role for data normalization within the event pipeline. Field mapping converts the original data fields from the different providers to standardized D3 fields as defined by the D3 Model. Refer to Event and Incident Intake Field Mapping for details. 

To customize field mapping, click + Add Field and add the custom field of your choice. You can also remove built-in field mappings by clicking x. Note that two underscore characters will automatically prefix the defined Field Name as the System Name for a custom field mapping. Additionally, if an input Field Name contains any spaces, they will automatically be replaced with underscores for the corresponding System Name.

As a system integration, the Fidelis EDR integration has some pre-configured field mappings for default field mapping.

  • Default Event Source
    The Default Event Source is the default set of field mappings that are applied when this fetch event command is executed. For out-of-the-box integrations, you will find a set of field mapping provided by the system. Default event source provides field mappings for common fields from fetched alerts. The default event source has a "Main Event JSON Path" (i.e. $.data.entities) that is used to extract a batch of events from the response raw data. Click Edit Main JSON Path to view the "Main Event JSON Path".

  • Main Event JSON Path: $.data.entities
    The Main Event JSON Path determines the root path where the system starts parsing raw response data into D3 event data. The JSON path begins with $, representing the root element. The path is formed by appending a sequence of child elements to $, each separated by a dot (.). Square brackets with nested quotation marks ([‘...’]) should be used to separate child elements in JSON arrays.
    For example, the root node of a JSON Path is $.data.entities. The child node denoting the Artifact Name field would be .artifactName. Putting it together, the JSON Path expression to extract the Artifact Name is $.data.entities.artifactName.

The pre-configured field mappings are detailed below:

Field Name

Source Field

Artifact Name

artifactName

Endpoint ID

.endpointId

Event Index

.eventIndex

Event Time

.eventTime

Has Job

.hasJob

Insertion Time

.insertionDate

Intel ID

.intelId

Intel Name

.intelName

Parent Event Time

.parentEventId

Report ID

.reportId

Telemetry

.telemetry

Validated Date

.validatedDate

Document ID

.id

Event name

.name

Original event ID

.eventId

Event Type

.eventType

Hostname

.endpointName

Start Time

createDate

Description

.description

Action taken

.actionsTaken

Operating system

.osType

Severity

.severity

Source type

.sourceType

Source

.source

Tag

.agentTag

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Script Job Status failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Fidelis EDR portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Connection is required for Test Command

Error Sample Data

Get Script Job Status failed.

Status Code: 400.

Message: Connection is required for Test Command

Get Collected Files

Retrieves the files collected from a previously executed Search Files command, providing the File ID necessary for executing the Download Collected Files command. Prior to using this command, ensure that the Search Files has been successfully completed by checking its status with the Get File Search Task Status command.

READER NOTE

Job ID and Job Result ID are required parameters to run this command.

  • Run the Search Files command to obtain them. Job IDs can be found in the raw data at the path $.data.jobId, while Job Result IDs can be found at the path $.data.jobResultId.

Input

Input Parameter

Required/Optional

Description

Example

Job ID

Required

The ID corresponding to the job for which to retrieve the collected files. Job ID can be obtained using the Search Files command.

*****

Job Result ID

Required

The ID corresponding to a job result for retrieving the collected files. Job Result ID can be obtained using the Search Files command.

*****

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "success": true,
    "error": null,
    "data": {
        "jobStartTime": "2021-12-15T18:11:34.5247959",
        "jobEndTime": "2021-12-15T18:15:42.057",
        "userId": *****,
        "jobResultInfos": [
            {
                "hostName": "TestAgent",
                "hostIP": "***.***.***.***",
                "agentId": "*****",
                "collectedFiles": [
                    {
                        "name": "AgentSetup.txt",
                        "id": "*****",
                        "mD5Hash": "*****",
                        "filePath": "[root]\\av tenant\\AgentSetup.txt",
                        "fileSize": 2962
                    },
                    {
                        "name": "Fidelis Endpoint Platform.exe",
                        "id": "*****",
                        "mD5Hash": "*****",
                        "filePath": "[root]\\av tenant\\Fidelis Endpoint Platform.exe",
                        "fileSize": 64480912
                    }
                ]
            }
        ]
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
  "HostNames": ["TestAgent"],
  "HostIPs": ["***.***.***.***"],
  "FilePaths": [ "[root]\\av tenant\\AgentSetup.txt", "[root]\\av tenant\\Fidelis Endpoint Platform.exe" ],
  "MD5Hashes": ["*****","*****"],
  "FileIDs": ["*****","*****"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

success

True

error

None

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Alerts failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Fidelis EDR portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Connection is required for Test Command

Error Sample Data

List Alerts failed.

Status Code: 400.

Message: Connection is required for Test Command

Get File Search Task Status

Retrieves the status of a previously initiated Search Files task.

READER NOTE

Job ID and Job Result ID are required parameters to run this command.

  • Run the Search Files command to obtain them. Job IDs can be found in the raw data at the path $.data.jobId, while Job Result IDs can be found at the path $.data.jobResultId.

Input

Input Parameter

Required/Optional

Description

Example

Job ID

Required

The ID corresponding to the job for which to retrieve the Search Files task status. Job ID can be obtained using the Search Files command.

*****

Job Result ID

Required

The ID corresponding to a job result for retrieving the Search Files task status. Job Result ID can be obtained using the Search Files command.

*****

Poll Timeout

Optional

The duration, in seconds, that the command will continue polling. The command will continue to poll until the specified duration has elapsed or until the task status changes to Completed or Failed. By default, the value is 0, meaning that the command will return the task status immediately. The maximum value is 1800 seconds (30 minutes). If a value exceeding 1800 is provided, it will be capped at 1800 seconds.

30

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "success": true,
    "error": null,
    "data": {
        "jobID": "*****",
        "resultID": "*****",
        "name": "File Collection-04-24-2019 22.02.05",
        "startDate": "2019-04-24T22:02:05.2557023",
        "endDate": "2019-04-24T22:04:09.2433333",
        "createdDate": "2019-04-24T22:02:05.1148222",
        "hasSchedule": false,
        "fromScheduledTask": false,
        "status": "Completed",
        "statusCode": 3,
        "scriptPackage": null,
        "createdBy": "administrator",
        "hasAlert": false,
        "alertName": null,
        "alertId": null,
        "fromPlaybook": false,
        "playbook": null,
        "order": null
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
  "JobID": "*****",
  "JobResultID": "*****",
  "Status": "Completed"
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

success

True

error

None

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Scripts failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Fidelis EDR portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Connection is required for Test Command

Error Sample Data

List Scripts failed.

Status Code: 400.

Message: Connection is required for Test Command

Get Script Job Results

Retrieves the execution results of the script package job.

READER NOTE

Job ID is a required parameter to run this command.

  • Run the Execute Script Package command to obtain the Job ID. Job IDs can be found in the raw data at the path $.data.jobId.

Input

Input Parameter

Required/Optional

Description

Example

Job ID

Required

The ID of the script package execution job for which to retrieve the results. Job ID can be obtained using the Execute Script Package command.

*****

Search Conditions

Optional

The search field(s) and value(s) used to filter job results with Facet Search syntax. To retrieve job results for a specific endpoint, such as '*****,' see the example on the right. Refer to the Fidelis API Guide for details on Facet Search. Operator values must be specified using their corresponding integer values. For example, '=' is represented as 0, while 'Contains' is represented as 7.

JSON
[
  {
    "fieldName": "EndpointName",
    "values": [
      {
        "value": "*****",
        "operator": 0
      }
    ]
  }
]

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "success": true,
    "error": null,
    "data": {
        "hits": {
            "total": 2,
            "hits": [
                {
                    "_source": {
                        "User": "T19-WIN10-E-190\\Administrator",
                        "_Row": "157905352600001",
                        "_EndpointId": "*****",
                        "_EndpointName": "*****",
                        "_GroupID": "*****",
                        "Matches": 0
                    },
                    "_id": "*****",
                    "tags": []
                },
                {
                    "_source": {
                        "User": "T19-WIN10-E-190\\*****",
                        "_Row": "157905352600002",
                        "_EndpointId": "*****",
                        "_EndpointName": "*****",
                        "_GroupID": "*****",
                        "Matches": 0
                    },
                    "_id": "*****",
                    "tags": []
                }
            ],
            "useNonDeterministicPaging": false,
            "nonDeterministicPagingInfo": null
        },
        "columns": [
            "_EndpointId",
            "_EndpointName",
            "_Error",
            "_Row",
            "User"
        ]
    }
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

Job Results Count

2

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Script Manifest failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Fidelis EDR portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Connection is required for Test Command

Error Sample Data

Script Manifest failed.

Status Code: 400.

Message: Connection is required for Test Command

Get Script Job Status

Retrieves the status of a script package execution job using the Job Result ID.

READER NOTE

Job Result ID is a required parameter to run this command.

  • Run the Execute Script Package command to obtain the Job Result ID. Job Result IDs can be found in the raw data at the path $.data.jobResultId.

Input

Input Parameter

Required/Optional

Description

Example

Job Result ID

Required

The result ID of the script package execution job for which to retrieve the status. Job Result ID can be obtained using the Execute Script Package command.

*****

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "success": true,
    "error": null,
    "data": {
        "targets": [
            {
                "jobResultId": "*****",
                "jobTargetResultId": "*****",
                "itemId": "*****",
                "name": "*****",
                "jobStatusCode": 3,
                "status": "Completed",
                "startDate": "2019-04-25T14:58:54.553",
                "endDate": "2019-04-25T14:58:54.997",
                "statusMessage": null
            }
        ],
        "total": 1,
        "jobName": "Computer Uptime-04-25-2019 14.58.54",
        "jobTypeCode": 20,
        "jobId": "*****"
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
  "JobID": "*****",
  "JobName": "Computer Uptime-04-25-2019 14.58.54",
  "TargetNames": ["*****"],
  "JobStatuses": ["Completed"]
}

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

total

1

jobName

Computer Uptime-04-25-2019 14.58.54

jobTypeCode

20

jobId

*****

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Search File failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Fidelis EDR portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Connection is required for Test Command

Error Sample Data

Search File failed.

Status Code: 400.

Message: Connection is required for Test Command

Get Script Manifests

Retrieves the script package manifest(s) using the Script ID(s).

READER NOTE

Script IDs is a required parameter to run this command.

  • Run the List Scripts command to obtain the Script IDs. Script IDs can be found in the raw data at the path $.data.scripts[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Script IDs

Required

The ID(s) of the script package to get manifest(s). Script ID can be obtained using the List Scripts command.

CODE
[ "*****" ]

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "Results": [
        {
            "success": true,
            "error": null,
            "data": {
                "id": "*****",
                "name": "All User Accounts (WMI)",
                "platforms": {
                    "windows32": true,
                    "windows64": true,
                    "linux32": false,
                    "linux64": false,
                    "solaris": false,
                    "aix": false,
                    "osx": false
                },
                "tags": "User,Accounts,System Management",
                "createdBy": 1001,
                "createdByName": "endpoint_apiuser",
                "createdDate": "2019-04-15T20:00:54.3757572",
                "fileCount": 2,
                "scriptPackageFiles": [
                    {
                        "fileName": "listAllUserAccounts.vbs",
                        "fileId": "*****"
                    },
                    {
                        "fileName": "common.vbs",
                        "fileId": "*****"
                    }
                ],
                "platformsStringList": null,
                "platformsLocalizedStringList": null,
                "description": "Lists all the user accounts. Use the optional parameter to filter the results to those that have a username that contains the supplied text",
                "priority": null,
                "resultColumns": [
                    "User",
                    "Enabled",
                    "Account Type",
                    "Password Required"
                ],
                "timeoutSeconds": 300,
                "impersonationUser": null,
                "impersonationPassword": null,
                "command": "listAllUserAccounts.vbs {[T:T,?]Username Filter}",
                "wizardOverridePassword": false,
                "questions": [
                    {
                        "paramNumber": 1,
                        "question": "Username Filter",
                        "answer": null,
                        "isOptional": true,
                        "inputType": "text"
                    }
                ],
                "questionsHaveLoadError": false,
                "resultDelimiter": ",",
                "dataDependencies": []
            }
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
  "ScriptIDs": ["*****"],
  "ScriptNames": [ "All User Accounts (WMI)" ],
  "ScriptDescriptions": [ "Lists all the user accounts. Use the optional parameter to filter the results to those that have a username that contains the supplied text" ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

Script Packages Count

1

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Search File failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Fidelis EDR portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Connection is required for Test Command

Error Sample Data

Search File failed.

Status Code: 400.

Message: Connection is required for Test Command

Get Script Templates

Retrieves the script package template(s) using the Script ID(s).

READER NOTE

Script IDs is a required parameter to run this command.

  • Run the List Scripts command to obtain the Script IDs. Script IDs can be found in the raw data at the path $.data.scripts[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Script IDs

Required

The ID(s) of the script package to get template(s). Script ID can be obtained using the List Scripts command.

CODE
[ "*****" ]

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "Results": [
        {
            "success": true,
            "error": null,
            "data": {
                "integrationOutputs": [],
                "scriptPackageId": "*****",
                "useImpersonation": false,
                "impersonationUser": null,
                "impersonationPassword": null,
                "timeoutInSeconds": 300,
                "hosts": [],
                "endpointIds": [],
                "questions": {},
                "useSchedule": false,
                "schedule": {
                    "initialDateTime": "0001-01-01T00:00:00",
                    "recurrenceRange": 0,
                    "maxRecurrenceCount": 0,
                    "endDateTime": null,
                    "timeUnit": 0,
                    "period": 0,
                    "ordinalUnit": 0,
                    "ordinal": 0,
                    "ordinalDayOfWeek": 0,
                    "ordinalMonth": 0,
                    "weekday": [],
                    "timeZoneName": null,
                    "isIncremental": false
                }
            }
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
  "ScriptIDs": ["*****"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

Script Packages Count

1

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Search File failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Fidelis EDR portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Connection is required for Test Command

Error Sample Data

Search File failed.

Status Code: 400.

Message: Connection is required for Test Command

List Hosts

Retrieves endpoint information based on host name or IP address. Endpoints with a host name in the Host Names list or an IP address in the IP Addresses list will be returned.

Input

Input Parameter

Required/Optional

Description

Example

Host Names

Optional

The host name(s) of the endpoint(s) to be retrieved.

CODE
[ "*****" ]

IP Addresses

Optional

The IP address(es) of the endpoint(s) to be retrieved.

CODE
[ "***.***.***.***" ]

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "success": true,
    "error": null,
    "data": {
        "endpoints": [
            {
                "id": "*****",
                "hostName": "*****",
                "ipAddress": "***.***.***.***",
                "description": null,
                "lastContactDate": "2019-04-17T17:58:21.6167553",
                "agentInstalled": true,
                "agentVersion": "***.***.***.***",
                "os": "Microsoft Windows 10 Professional x64 Edition",
                "macAddress": "*****",
                "aV_Enabled": false,
                "eventsStopped": false,
                "locality": null,
                "groupList": null,
                "isGroupMember": false,
                "agentConnected": false,
                "isolated": false,
                "osType": 1,
                "osArch": 2,
                "agentTag": null,
                "createdDate": "2019-04-17T10:57:22.5398325",
                "avSigVersion": null,
                "advMalwareVersion": null,
                "aR_Enabled": false,
                "events_Enabled": true,
                "agentId": "*****",
                "onNetwork": true,
                "groups": null,
                "processorName": "Intel(R) Xeon(R) CPU E5-2623 v3 @ 3.00GHz",
                "processorCount": 1,
                "processorSpeedInMhz": 3001,
                "processorNumOfCores": 2,
                "processorNumOfLogicalProcessors": 2,
                "ramSize": 4293771264,
                "flag": false,
                "port": null,
                "createdByType": 5,
                "interfaceIPs": null,
                "agentScoreboardHash": null,
                "investigativeModeEnabled": false,
                "investigativeModeDuration": null,
                "investigativeModeStartTime": null,
                "eventsVersion": null,
                "activeDirectoryId": null
            }
        ],
        "totalCount": 1
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
  "EndpointIDs": ["*****"],
  "HostNames": ["*****"],
  "HostNames": ["*****"],
  "IPAddresses": ["***.***.***.***"],
  "OperatingSystems": [ "Microsoft Windows 10 Professional x64 Edition" ],
  "LastContactDate": ["2019-04-17T17:58:21.6167553"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

Endpoints Count

1

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Search File failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Fidelis EDR portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Connection is required for Test Command

Error Sample Data

Search File failed.

Status Code: 400.

Message: Connection is required for Test Command

List Scripts

Retrieves a list of all script packages.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "success": true,
    "error": null,
    "data": {
        "scripts": [
            {
                "id": "*****",
                "name": "Administrators",
                "description": "Lists all users with Administrator rights. Use the optional parameter to filter the results to usernames that contain the supplied text."
            },
            {
                "id": "*****",
                "name": "Agent Log",
                "description": "Returns log entries from the Fidelis Agent."
            },
            {
                "id": "*****",
                "name": "All User Accounts",
                "description": "Displays information about any created users on an endpoint."
            }
        ],
        "totalCount": 132
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
  "ScriptIDs": ["*****","*****","*****"],
  "ScriptNames": [ "Administrators", "Agent Log", "All User Accounts" ],
  "ScriptDescriptions": [ "Lists all users with Administrator rights. Use the optional parameter to filter the results to usernames that contain the supplied text.", "Returns log entries from the Fidelis Agent.", "Displays information about any created users on an endpoint." ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

Script Packages Count

3

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Search File failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Fidelis EDR portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Connection is required for Test Command

Error Sample Data

Search File failed.

Status Code: 400.

Message: Connection is required for Test Command

Search Behavior Events

Retrieves information about behaviors (events) for a specific entity type.

Input

Input Parameter

Required/Optional

Description

Example

Start Time

Optional

The beginning of the time range, in UTC, for returning behavior events. By default, the start time is 3 days before the End Time.

2024-08-06 18:00:00

End Time

Optional

The end of the time range, in UTC, for returning behavior events. By default, the end time is the current time.

2024-08-06 18:59:59

Host Names

Optional

Filters behavior event results to the specified endpoint(s), allowing for full or partial host name(s).

CODE
[ "*****", "*****" ]

Entity Type

Required

The entity type to query behavior events.

Process

OS Types

Optional

The operating system type(s) used to query behavior events. By default, the query will not filter by OS type. The available OS types are as follows:

  • Windows

  • Linux

  • OSX

[ "Windows", "Linux" ]

Logic Operator

Optional

The logic operator (AND / OR) used among filters. By default, the value is AND.

AND

Filters

Required

Criteria that narrow down behavior event search results. D3 uses the 'CriteriaV3' object, enabling the use of composite filters to implement complex conditional logic, such as '(A AND B) OR (C AND D).' Each filter JSON object must include the fields: column, operator, and value. For information on composite filter syntax, refer to the Fidelis API guide or consult D3 Support.

JSON
[
  {
    "filterType": "criteria",
    "column": "name",
    "operator": "=",
    "value": "*****.exe"
  },
  {
    "filterType": "criteria",
    "column": "path",
    "operator": "=~",
    "value": "temporary files"
  }
]

Limit

Optional

The maximum number of behavior events to return. The permissible range is an integer from 1 to 1000. By default, the limit is 1000. To return all results, enter -1.

10

Relationship Parent Filters

Optional

A parent filter for search results. This parameter is not applicable to System and USB main entity types. When the main entity type is Process, the parent filter provides results based on the attributes of the parent processes that initiated the processes in the result set. For other entity types, the parent filter retrieves results based on the attributes of the process that executed the action represented by that entity type. In such cases, the parent process can be considered the acting process, though their concepts are similar. Users may use a parent filter to exclude results where the parent (or acting) process is a trusted process, as identified by its hash, signature, or well-known PID. The logic operator applied to relationship parent filters is AND.

JSON
[
  {
    "filterType": "criteria",
    "column": "hash",
    "operator": "=",
    "value": "*****"
  }
]

Relationship Children Criteria

Optional

This parameter is valid only when the main entity type is Process. Child filters filter the process results based on the behaviors performed by these processes. A child filter specifies a particular behavior by its entity type and other criteria specific to that entity type. When using a child filter, USB and System cannot be specified, as these entity types are not associated with processes. Child filters can be used to identify suspicious behaviors, such as establishing a network connection to a known malicious IP address or accessing sensitive registry keys. The logic operator applied to child criteria is AND. Refer to the sample data for the syntax of child criteria.

JSON
[
    {
        "entityType": "file",
        "filter": {
            "filterType": "composite",
            "logic": "and",
            "filters": [
                {
                    "filterType": "criteria",
                    "column": "eventType",
                    "operator": "IN",
                    "value": [
                        2
                    ]
                },
                {
                    "filterType": "criteria",
                    "column": "path",
                    "operator": "=~",
                    "value": "System32\\secccchost.dll"
                }
            ]
        }
    },
    {
        "entityType": "process",
        "filter": {
            "filterType": "composite",
            "logic": "and",
            "filters": [
                {
                    "filterType": "criteria",
                    "column": "name",
                    "operator": "=",
                    "value": "somethingreallybad.exe"
                }
            ]
        }
    }
]

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "success": true,
    "error": null,
    "data": {
        "events": [
            {
                "eventTime": "2018-04-16T20:45:59.718Z",
                "endpointName": "*****",
                "eventType": 0,
                "parentId": "*****",
                "targetId": "*****",
                "pid": *****,
                "parentName": "*****.exe",
                "name": "*****.exe",
                "path": "C:\\Windows\\System32\\*****.exe",
                "parameters": "C:\\Windows\\SYSTEM32\\*****.exe /c 'C:\\test\\*****'",
                "hash": "*****",
                "user": "*****\\Administrator",
                "processStartTime": "2018-04-16T20:45:59.718Z",
                "indexingTime": "2018-04-16T20:47:34.642Z"
            },
            {
                "eventTime": "2018-04-16T20:45:50.554Z",
                "endpointName": "*****",
                "eventType": 0,
                "parentId": "*****",
                "targetId": "*****",
                "pid": *****,
                "parentName": "*****.exe",
                "name": "*****.exe",
                "path": "C:\\Windows\\System32\\*****.exe",
                "parameters": "C:\\WINDOWS\\SYSTEM32\\*****.exe /c 'C:\\test\\*****'",
                "hash": "*****",
                "user": "*****\\*****",
                "processStartTime": "2018-04-16T20:45:50.554Z",
                "indexingTime": "2018-04-16T20:46:17.061Z"
            }
        ],
        "isComplete": true,
        "status": {
            "status": 1,
            "interval": null,
            "numberOfIntervals": 0,
            "currentIntervalIndex": 0
        },
        "pageInfo": {
            "searchAfter": [
                1523911550554
            ],
            "nextIndexToSearch": "eq_20180416_1523836800000"
        }
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
  "HostNames": ["*****","*****"],
  "PIDs": [*****,*****],
  "ProcessNames": ["*****.exe","*****.exe"],
  "FileHashes": ["*****","*****"],
  "FilePaths": ["C:\\Windows\\System32\\*****.exe","C:\\Windows\\System32\\*****.exe"],
  "Users": ["*****\\Administrator","*****\\*****"],
  "EventStartTime": ["2018-04-16T20:45:59.718Z","2018-04-16T20:45:50.554Z"],
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

Behavior Events Count

2

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Search File failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Fidelis EDR portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Connection is required for Test Command

Error Sample Data

Search File failed.

Status Code: 400.

Message: Connection is required for Test Command

Search Files

Collects files that match specified search criteria across a set of endpoints.

Input

Input Parameter

Required/Optional

Description

Example

Hosts

Optional

The host(s) on which files will be searched.

JSON
[ "***.***.***.***" ]

MD5s

Optional

The MD5 hash value(s) of the file(s) to be searched.

JSON
[ "*****" ]

File Extensions

Optional

The extension(s) of the file(s) to be searched.

JSON
[ ".exe" ]

File Paths

Optional

The file path(s) to be searched.

JSON
[ "C:\\Users\\*****" ]

File Size

Optional

The minimum file size of the file(s) to be searched. By default, the value is 1024.

100

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "success": true,
    "error": null,
    "data": {
        "jobId": "*****",
        "jobResultId": "*****"
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
  "JobID": "*****",
  "JobResultID": "*****"
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

success

True

error

None

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Search File failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Fidelis EDR portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Connection is required for Test Command

Error Sample Data

Search File failed.

Status Code: 400.

Message: Connection is required for Test Command

Test Connection

Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Test Connection failed. Failed to check the connector.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Fidelis EDR portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Connection is required for Test Command

Error Sample Data

Test Connection failed. Failed to check the connector.

Status Code: 400.

Message: You must have a valid Support account to call this API

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.